Debian Project News - February 16th, 2015

Welcome to this year's first issue of DPN, the newsletter for the Debian community. Topics covered in this issue include:

A brief history of the arm64 port

Steve McIntyre walks us through a brief history of the Debian ARM port.

Now an official release architecture for Jessie, arm64 took many years and a lot of CPU time considering the over 21,000 source packages available. From the inception of the port, developers struggled for accessible hardware and were only able to work on it using ARM's AArch64 software models, until the folks running the Tianhe-2 supercomputer project in China contacted the team to offer access to their arm64 hardware.

Later as ARM started producing its own Juno development boards, Debian Developers were able to acquire some for use as official Debian build machines. The Juno buildds ran well and with them a large portion of the Debian archive was built; however, suitability issues begin to arise with using them all over the world and with many developers using them for debugging the new architecture. Things progressed as best they could until Linaro, with a goal of helping to improve FOSS on ARM, came to the aid of the project with a cluster of servers made available for software developers to use to get early access to ARMv8 hardware.

Debian was able to negotiate dedicated access to three of the machines from the cluster in October of 2014, with two of the machines serving as build machines and the other as a porter box. Developers now had the necessary hardware in place to race against the small amount of time left before the freeze of Jessie.

They did just that at the Cambridge mini-DebConf in November of 2014 where ARM was officially added to the list of release architectures. Since that time Steve has managed to obtain another arm64 machine on loan from AMD to Debian to use for further porting and building. He expects that as more vendors move from prototype to production, more hardware will become available, and hopes to see ARM running not just in your server rooms, but on your desktops and laptops. Running Jessie of course.

First release candidate of Jessie Debian Installer

The Debian Installer Jessie RC1 release has been announced. Changes include checks for missing firmware, the official artwork for Jessie, the renaming of 486 to 586, and an updated mirror listing. Other items of note are language support for 75 languages, a PXE-bootable grub.efi, imx6 support and netcfg interface.d support. The Debian Installer team extends a Thank You to all the people who contributed towards this release. The team also extends a call for help for testers to help find bugs in all media available.

Debian Mirrors new and old

Yasuhiro Araki, who has provided cdn.debian.net since February of 2008, is planning on orphaning the project in light of the more recent http.debian.net. As he begins the process DNS for cdn.debian.net will eventually point to http.debian.net. Thank you Yasuhiro for the many years of service.

The Debian Project is pleased to announce a new security.debian.org mirror with hardware and hosting provided by SAKURA Internet, Inc. The new host is located in and serves content from Japan and will service users in Asia.

Debian Long Term Support

Freexian's fifth report about Debian Long Term Support showed that in the month of December 46 work hours were split among four paid LTS contributors. Compared to the month of November the number of paid hours has not increased from the allotted 48 hours per month. Starting this year, 2015, with more sponsors the team hopes to have an increase in available funding, towards the goal of funding the equivalent of a half-time position. Security updates in LTS held close to the same numbers are last month with 30 packages awaiting an update affecting around 56 packages in total.

Thorsten Alteholz updated his LTS status for December for which he was assigned 20.5 hours towards LTS. He used the time to upload new security updates to 14 packages including flac, tcpdump, jasper, unzip, and many others. Thorsten sponsored the upload of an ettercap security update, which may be the first non-Debian Developer patch for LTS, for which he thanks Nguyen Cong and Toshiba.

Raphaël Hertzog blogged about his December 2014 LTS work: he was assigned 20 hours of LTS work which was spent on CVE triage with 47 commits to the security tracker, two fixes for wishlist bugs and several releases of which the biggest was DLA-120-1 on xorg-server which took over 6 hours to backport, but fixed 12 CVEs. Raphaël created a dedicated funding subpage on the LTS wiki, which now gives more information to interested parties and opens up the project for more companies to get involved in and to contribute to. The new page fixes what may have been an erroneously implied relationship between Freexian as an LTS sponsor and the Debian project.

Ben Hutchings posted his LTS summary with 11.5 hours of support on LTS and an update to the kernel package linux-2.6, version 2.6.32-48squeeze9. The LTS team had been working with and using an older kernel with applied security and critical fixes until a recent shift to rebase packages on the 2014 2.6.32.64 release. Ben reviewed and applied fixes and security flaws for the kernel for upstream inclusion into 2.6.32.65.

Holger Levsen reported on 11 LTS hours working on the linux-2.6 security update, bind9, and ntp.

Debian members vote to limit Technical Committee Term

Debian members were called by Kurt Roeckx, Debian secretary, to vote on a general resolution to change the Debian Constitution, and create term limits for Technical Committee members. Both proposals aimed at creating a regular turnover of Technical Committee members, by enforcing a term limit of about four years. The proposals differed in the way they respond to resignations or removals of TC members for reasons other than the term limit. The first option, which could result in more than two TC members leaving the TC during the same year, won the vote. More details about the results of this vote can be found on the page of the website dedicated to this general resolution.

Call for projects and mentors for Debian GSoC 2015

Nicolas Dandrimont asked all Debian contributors for projects and mentors to help Debian participate in the eleventh year of the Google Summer of Code. Everyone (member of the Debian project or not, student or not) is welcome to submit their ideas, and to try and find people willing to mentor the projects, explained Nicolas in his mail. If you have an idea, please publish it on the wiki page, and send an email to the coordination mailing list. You can also contact Nicolas and the other GSoC administrators for Debian on their mailing list or on their IRC channel, #debian-soc on irc.debian.org.

Progress on reproducible builds

The reproducible builds team sent a report about their work, which enables anyone to independently confirm that a given Debian binary package was indeed built from some specified source package. Currently, more than 83% of all the source packages in the main archive of the unstable distribution can be built reproducibly. The team developed the tool debbindiff to provide in-depth detailed diffs of binary packages. Packages are then built twice on jenkins.debian.net, and reproducibility results are reported on the Debian Package Tracker. The team is considering submitting a proposal to make reproducible builds a release goal for Stretch, the next stable release after Jessie.

Bug Squashing Parties

Bernd Zeimetz announced a Debian Bug Squashing Party, which will be held on April 17-19 2015. Registration can be completed through the BSP wiki page. The BSP will be located close to Salzburg Airport W.A. Mozart, at the office of Conova Communications Gmbh. Besides registration, the wiki page covers hotel accommodations, sightseeing possibilities, meal planning, and leisure activities. Bernd welcomes team meetings or sprints, but warns travellers to email him in advance to ensure accommodation.

In a series of quick blog posts, Jonathan Wiltshire reported on three days of the Alcester Bug Squashing Party (BSP) which closed and worked on a large number of bugs, downgrades, removals, and patches.

Recap of the 2015 mini-DebConf in Mumbai

A mini-DebConf took place at the Indian Institute of Technology Bombay (IIT Bombay). The conference was opened by Professor Kumar Appaiah from the Electrical Engineering department. Other notable speakers included Kannan Moudgalya, head of the Free and Open Source Software for Education (FOSSEE) project. Among the topics discussed were open source software security, Debian on ARM by Siji Sunny, and Raspbian (Debian on Raspberry Pi). A total recap of topics and discussions can be found on linuxveda. Jaldhar H. Vyas attended the mini-DebConf, and completed a lengthy blog summary. Organisers of the conference were pleased with the turn-out, and plan another mini-DebConf next year.

2048-bit key removal from Debian keyrings

The keyring-maint team is proud to announce that, after almost five years of actively requesting stronger keys to be used for the project, and after a four months intensive campaign to speed up the key migration, as of January 1 we have disabled all PGP keys weaker than 2048 bits.

A full list of affected keys together with the requisites and instructions on how to submit a new key for Debian is available. A statistical roundup of the keyrings' evolution can be found in a blog post by Gunnar Wolf.

Reports

Jingjie Jiang, our OPW (Outreach Program for Women) intern, posted a progress report on her work on debsources. Several bugs were fixed and are to be merged into the codebase, such as allowing symbolic links within the same version, and override detection. She has also been working towards making debsources available on sor.debian.org, and provided some thoughts on the benefits of OPW internship.

Niels Thykier gave an update on the status of Jessie as of December of 2014. Currently there is no set release date and there is still much work to be done. He reminded users and developers of the automatic removal clause that was about to go into effect; any package with a dependency on a threatened package may itself be at risk. Work on the release notes still needs more time and hands. While the number of bugs is declining there are still a few problematic bugs to be solved.

At this time only RC bug fixes are being accepted. Help is requested! Users can file bugs against the release notes concerning missing or outdated documentation, fix the known RC bugs that are blocking Jessie, and report on tests of upgrade paths and installation media.

Steve McIntyre's work on UEFI support in Jessie continued with a series of posts on getting an i386-only UEFI net install up and running (and made available with test images to download), then a mixed 32- and 64-bit UEFI net install (available for testing and download), and later work on integration of 32-bit grub-efi with patches to the Linux kernel, grub2 for /sys and a grub-installer patch. Steve's last update was in mid-January of 2015, when he also announced a pause in development in favour of a few other items that need work such as RC bugs, sorting Mac-only 32-bit images, and debian-live images.

Gregor Herrmann updated some RC bugs dealt with in the last few weeks on lirc-x, gxine, rtpproxy, and ciderwebmail to name a few.

Raphaël Hertzog posted his Free Software Activities for January 2015, including 12 hours of paid work on Debian LTS which had work done on libnokogiri-ruby and on pound-related SSL issues. He also submitted bugs reports for the Tryton application platform, created three Salt formulas for Saltstack, packaging for upstream releases of Django in experimental along with a pre-approval, and an unblock request for Dolibarr with input from the security team. Raphaël also worked on soliciting candidates for Debian France's election for a third board member.

Thomas Goirand gave an update on OpenStack image availability letting us know that it is now generated at the same time as the official Debian CD ISO images. He suggests cloud users and public cloud operators should download the now available weekly build. Presently the only arch available is arm64, which historically has not been a problem for operators. Goirand adds a few suggestions and comments for the image generation and included sources.tar.gz file. Contributors and testers are welcomed.

Roland Fehrenbacher wrote on his blog a report on the DebianMed Sprint 2015, which took place in Saint-Malo, France, from January 30 to February 2. He gave a brief review of the various presentations and discussions that occurred during this meeting as well as the packaging and mentoring activities. In related news, Andreas Tille announced a Debian Med Mentoring of the month initiative for women. See the wiki page dedicated to the initiative for more details.

Other news

The eighth update of the stable distribution of Debian (codename Wheezy) was released on January 10.

Christian Perrier asked on his blog who was going to report bug #777777 in the Debian bug tracking system. Matthias Klose answered that question a few hours later, by opening a bug against the package aqsis.

Lucas Nussbaum announced that he will not seek re-election in his position as the Debian Project Leader (DPL), and shares some insight and thoughts about the transition to the next DPL while reflecting on some of the events of his term. With a new election slated to start in the upcoming months, he suggests that we in the community champion a lively campaign by reaching out to our dream candidates and encouraging them to run, or perhaps running for the position ourselves. On the project mailing list a separate thread asks, What do you expect from the DPL?

The Debian France association is organising a mini-DebConf on April 11 and 12, in Lyon, France, hosted by the Maison Pour Tous-Salle des Rancy. If you're planning to attend, please add your name to the list on the dedicated wiki page.

Lucas Nussbaum updated the delegation for the Debian System Administrators team, which counts now two new official members: Paul Wise and Julien Cristau. Kurt Roeckx has been reappointed as Project Secretary for one more year.

This Debian News Project issue just beats the length record previously held by the 2006/28 issue, and becomes for now the longest DPN ever.

New Debian Contributors

3 applicants have been accepted as Debian Developers, 8 applicants have been accepted as Debian Maintainer, and 11 people have started to maintain packages since the previous issue of the Debian Project News. Please welcome Nattie Mayer-Hutchings, Sebastiaan Couwenberg, Johannes Schauer, Alexander Alemayhu, Daniel Stender, Nigel Kukard, Sebastian Andrzej Siewior, Helge Kreutzmann, Etienne Millon, Steven Chamberlain, Timothy Potter, Dmitry Bogatov, Edward Betts, Aggelos Avgerinos, Florian Pelgrim, Alessio Di Mauro, Michael R. Crusoe, Mario Stephan, Christopher Hoskin, Antonio Cardoso Martins, Patrick Huck, and Peter Spiess-Knafl into our project!

Release-Critical bugs statistics for the upcoming release

According to the Bugs Search interface of the Ultimate Debian Database, the upcoming release, Debian Jessie, is currently affected by 147 Release-Critical bugs. Ignoring bugs which are easily solved or on the way to being solved, roughly speaking, about 77 Release-Critical bugs remain to be solved for the release to happen.

There are also more detailed statistics as well as some hints on how to interpret these numbers.

Important Debian Security Advisories

Debian's Security Team recently released advisories for these packages (among others): pyyaml, polarssl, php5, strongswan, libevent, mantis, file, curl, binutils, otrs2, openssl, php5, iceweasel, linux, rpm, lsyncd, xdg-utils, icedove, privoxy, sympa, mysql-5.5, polarssl, websvn, jasper, squid, xen, wireshark, eglibc, virtualbox, openjdk-7, privoxy, requests, openjdk-6, chromium-browser, condor, vlc, python-django, unzip, krb5, ntp, postgresql-9.1, ruby1.9.1, unrtf, ruby1.8, xorg-server, and dbus. Please read them carefully and take the proper measures.

The Debian team in charge of Squeeze Long Term Support released security update announcements for these packages: mime-support, ettercap, ettercap, pyyaml, polarssl, sox, firebird2.1, file, openssl, unrtf, curl, ia32-libs, tomcat6, websvn, libevent, eglibc, rpm, jasper, libksba, privoxy, python-django, polarssl, php5, wpasupplicant, sympa, krb5, unzip, ntp, libxml2, and postgresql-8.4. Please read them carefully and take the proper measures.

Debian's Stable Release Team released an update announcement for the packages: tzdata and libdatetime-timezone-perl. Please read it carefully and take the proper measures.

Please note that these are a selection of the more important security advisories of the last weeks. If you need to be kept up to date about security advisories released by the Debian Security Team, please subscribe to the security mailing list (and the separate backports list, stable updates list, and long term support security updates list) for announcements.

New and noteworthy packages

158 packages were added to the unstable Debian archive recently. Among many others are:

Work-needing packages

Currently 668 packages are orphaned and 155 packages are up for adoption: please visit the complete list of packages which need your help.

Want to continue reading DPN?

Please help us create this newsletter. We still need more volunteer writers to watch the Debian community and report about what is going on. Please see the contributing page to find out how to help. We're looking forward to receiving your mail at debian-publicity@lists.debian.org.


To receive this newsletter bi-weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Project News was edited by Cédric Boutillier, Jean-Pierre Giraud, Carl J Mannino, Donald Norwood, Justin B Rye and Paul Wise.